What exactly does Annex VII require?

Annex VII of Regulation (EU) 2024/2847 requires 8 categories of content: (1) general product description including intended purpose and software versions, (2) design, development, production and vulnerability handling information including SBOM and CVD policy, (3) cybersecurity risk assessment per Art. 13, (4) support period determination per Art. 13.8, (5) applicable harmonised standards or alternative solutions, (6) test reports, (7) copy of the EU declaration of conformity, and (8) SBOM upon authority request.

Does the documentation need to be in Chinese or English?

Art. 31.4 requires documentation in an official language acceptable to the notified body. For Default products using Module A self-assessment, there is no notified body — English is the industry standard for EU technical documentation. CRACheck generates in English.

Can one dossier cover a product family?

The documentation must cover a specific product with digital elements. If products in a family share the same firmware, same hardware architecture and same cybersecurity properties, a single dossier may reference the shared elements. If they differ in connectivity, firmware or vulnerability surface, separate documentation is required.

How long must we keep the documentation?

Article 13(13) requires the technical documentation to be kept at the disposal of market surveillance authorities for at least 10 years after the product has been placed on the market, or for the duration of the support period, whichever is longer.

What is the SBOM and where does it go?

Annex VII point 2(b) requires the technical documentation to include the software bill of materials. The SBOM lists all software components including third-party and open-source. Annex VII point 8 adds that market surveillance authorities may request the full SBOM. CRACheck generates both sections.

Is this a subscription?

No. One-time payment. 30 days editing, 10 regenerations. PDF yours permanently.

Can I request a refund?

Pursuant to Art. 16(m) of Directive (EU) 2011/83, licence activation constitutes express consent. Refunds only for reproducible technical failures.

What if the regulation changes?

Regenerate at no additional cost during licence validity.

Your EU customer has added a CRA compliance clause to the next purchase order. They want technical documentation per Annex VII of Regulation (EU) 2024/2847 before accepting the next shipment. Your compliance team handles EMC and RED. They have never produced cybersecurity documentation under Annex VII. CRACheck generates it in 15 minutes.

Annex VII of Regulation (EU) 2024/2847 defines 8 sections of mandatory technical documentation: product description, design and development information, vulnerability handling processes, cybersecurity risk assessment, applicable standards, test reports, declaration of conformity and SBOM. Your EU buyer is not asking because they are curious — Article 19.2 of the Regulation requires importers to verify that this documentation exists before placing the product on the market. CRACheck structures the 8 sections automatically from your product data. 15-25 minutes. €149 per product. 100% browser-side.

Generate CRA dossier — €149 Free: check your product classification

€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side

Key numbers

8 sections

Annex VII mandatory content. Product description, design, vulnerabilities, risk, standards, tests, DoC, SBOM.

Art. 19.2

EU importer must verify documentation exists before placing the product on the market.

15 min

Per product. Your engineering team provides the data. CRACheck structures the documentation.

How CRACheck works

You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.

Read the contract clause

Your EU buyer's clause references Art. 31 and Annex VII of Regulation (EU) 2024/2847. They want proof that technical documentation exists before the next shipment.

Collect engineering data

Product architecture, firmware versioning, update mechanism (OTA or manual), network interfaces, known vulnerability list, third-party component inventory, intended support period.

Run the CRACheck classifier

Determine whether your product is Default, Class I or Class II. This defines the conformity assessment route under Art. 32.

Generate the dossier

Enter the data into CRACheck. The generator maps your inputs to the 8 sections of Annex VII. 15-25 minutes per product.

Engineering review

Your R&D team validates that the documented specifications match the product. 10 regenerations available per licence.

Deliver to your EU buyer

Send the 8-document ZIP alongside your existing CE technical file. The importer's Art. 19 obligation is met.

Archive for market surveillance

Art. 13(13) requires documentation to be kept at the disposal of market surveillance authorities for at least 10 years or the support period, whichever is longer.

Common mistakes

❌

ANNEX VII

"We sent our product datasheet — that should be enough"

A product datasheet is a commercial document. Annex VII of Regulation (EU) 2024/2847 requires technical documentation that includes vulnerability handling processes (point 2(b)), cybersecurity risk assessment (point 3), applicable harmonised standards or alternative solutions (point 5), and test reports (point 6). A datasheet covers none of these.

❌

ART. 13.5

"We integrate third-party modules — the module vendor is responsible"

Article 13.5 of Regulation (EU) 2024/2847 requires manufacturers to exercise due diligence when integrating third-party components. If you integrate a WiFi module from another Shenzhen manufacturer, you must document how that component does not compromise the cybersecurity of your product. The obligation is on you as the final product manufacturer.

❌

ART. 31.2

"We write the documentation once and we are done"

Article 31.2 of Regulation (EU) 2024/2847 states that technical documentation shall be continuously updated during the support period. If you release a firmware update that changes security properties, the documentation must reflect it. CRACheck allows 10 regenerations per licence for this purpose.

What the ZIP contains

8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.

Product Classifier

Annex III classification. Defines the conformity assessment route your EU buyer needs to verify.

Technical Documentation

Art. 31 + Annex VII. All 8 sections structured per the Regulation. The document your EU buyer's contract clause is requesting.

Risk Assessment

Art. 13.2-13.3. Systematic cybersecurity risk analysis mapped against each requirement of Annex I Part I.

User Information

Annex II. End-user cybersecurity instructions your EU buyer will include with the product.

Declaration of Conformity

Art. 28 + Annex V. Formal statement of CRA conformity.

CVD Policy

Coordinated Vulnerability Disclosure. Your public-facing vulnerability reporting channel.

Notification Template

Art. 14. Ready for the 24h/72h/14d reporting timeline.

Obligations Calendar

Maps all CRA deadlines to your product lifecycle.

See before you buy — Download sample dossier (PDF, fictional company) — Real structure, real articles, real format. Fictional data.

Generated from your data, in your browser. No data leaves your device.

What you pay

🧾 EUROPEAN REGULATORY CONSULTANCY

€15,000–€25,000

Per product family. 4-6 months. Requires on-site audit in Shenzhen.

✓ Last regulatory check: 1 May 2026 · No substantive changes detected · View history